Wasn't The Real Security Problem The Initial Leak Of State Dept. Cables Rather Than The Latest Leak Of Those Same Cables?

from the playing-the-blame-game dept

One of the myths around Wikileaks' original release of State Department cables was that the organization simply dumped all the cables unredacted and let everyone sort it out. That's simply not true. Wikileaks released only small batches of documents at a time, mostly in conjunction with newspaper reporters, and redacted sensitive info. While Wikileaks just did a big dump of additional cables, the big news that people are focused on is how a German newspaper found an encrypted file of all the cables that apparently has no redactions at all, and has a password that is easy to find. While the details aren't entirely clear, most of the evidence seems to suggest some sort of human error, in placing the encrypted file online and then, later, accidentally releasing the password to the file.

While it does seem like there's a fair bit of bad security and bad process on the part of Wikileaks, it does seem to be a little odd to pin the full blame on Wikileaks and various hacker groups as Paul Carr does here in his story on the new file:

In truth, it almost doesn’t matter who is responsible: the eventual release of the unredacted cables was inevitable. The message of Wikileaks — and the amoral cult of leaking for lulz that came in its wake — has always been one of callous contempt for the human cost of “free information”. From Assange’s well-publicised remarks to Guardian reporters that “if [informants] get killed, they’ve got it coming to them. They deserve it.”, to LulSec [sic] and Anonymous’ willingness to publish the personal details of anyone even tangentially associated with their ‘enemies’, what we see time and time again from mass-leakers is a sociopath’s disregard for individuals, combined with a Hollywood serial killer’s hunger for attention. Sooner of later — for attention, to make some misguided political point, for the lulz — someone was bound to obtain and leak the raw documents.

But all of this ignores where these documents came from originally. These cables were apparently available to hundreds of thousands -- if not millions -- of people within the government if they wanted to look at them. At that level of accessibility, it's not hard to realize that lots of people had these documents, and there's a fair likelihood that those working for foreign interests were able to get their hands on these documents long ago. The only folks who didn't have them were the public.

Now, I do disagree with the tactics that Anonymous and LulzSec tend to take (and, honestly, am still surprised that their attacks have been so effective). But, that's mainly because I just don't think such things legitimately move issues forward. Instead, they focus the discussion on the hacks, rather than the content of the hacks, and get people focused on what they believe to be a bunch of script kiddies (whether it's true or not).

But I think it's a bit silly to blame their attitude and hackings for this release. The documents and their details were almost certainly "available" to various foreign parties long before anyone leaked them to Wikleaks. While this latest release certainly shows some serious process problems with Wikileaks (no surprise there), it's kind of amazing that people aren't pointing out that the much bigger security/process problem was at the beginning of the chain, in which the documents were available to so many different people without much security or protection in the first place.

Reader Comments

Because there is much motivation to keep people focused on Wikileaks being stupid than what Wikileaks had.

Example -
The Sony "Hacks" (level of hack required being a paperclip)
Everyone was screaming at the people who did it, bitching about having to change their passwords on ALL sites they used (as they used the same one everywhere), and calling for the Feds to find the "hackers" and punish them.
Sony played up how skilled the hackers were, and that this was something that no one could withstand.

The truth -
Sony had horribly lax procedures for security. These were made way more evident as site after site around the global were compromised and unencrypted data was set free.

There are still people who are screaming for the "hackers" blood but they do not feel as much anger at Sony. Sony broke the rules for security, and while the data was leaked it was most likely not the first time it had ever been accessed.

I have a feeling that this "leak" of the file has something to do with the pissing contest between the frontmen of Wiki and Open leaks. Openleaks killed itself when its founder deleted a file containing information that Wikileaks had. No one will be able to say what was lost, and there is much PR spin to be had on both sides.
The issue is the Openleaks guy in trying to condemn bad practices by Assange committed a worse sin in destroying data that people had sent to Wikileaks.
Would you try to blow the whistle to someone who in a fit of anger would just delete what you risked yourself to get to them?

Don't read the cables, focus on people who might be outed as agents of the Government. Focus on the evil people who stole this and then didn't protect anyone. Ignore the law breaking exposed in the cables, ignore the bad faith in our policy, ignore the evil we do in the name of "good".

The initial leak was the problem. I'm a fan of knowing what the hell my government is up to as much as anyone else, but Manning did it in the most irresponsible manner possible.

Instead of picking through documents for information that truly was about coverups or wrongdoings, and there were surely some that qualified, he dumped all of it with a callous disregard to the real life and death consequences for those simply trying to do the right thing.

Wikileaks received the information and then didn't properly secure it.

The latest controversy just further demonstrates that some really shouldn't have access to information if they cannot use it responsibly.

Independent minds needed

The Fact -
There is a difference between security rules and breaking the law. There is no legal justifiable reason to enter a premise without permission, whether or not the security is lax. It isn't even justifiable morally. This what supports of Anonymous refuse to acknowledge.

Hacking is a federal crime, and has been a crime before Anonymous came to prominence. Everyone is more critical of criminal activity than in irresponsibility. The irony of Anonymous is the belief that crimes have been committed without any proof for the justification for breaking the law.

The problem with Anonymous is that the belief that they are doing something for a cause it must be right. With the earlier comment by TAC they seem to believe that if unauthorized access to a network has been done then there is no problem if it is done again. Even if it was the result of lax security, which is just wrong.

Our society can deal with all crimes whether it was committed by a kid out to impress his new friends, or a government official taking bribes.

Wikileaks and Anonymous's view on "law broken" in the cables is based on the idea that there are some in their, and just by finding them proves them correct. It isn't an issue of that crimes have been committed, but a belief that they have. Our society has lived through the evils of "guilty until proven innocent."

Wikileaks is based on the idea of government and corporate transparency without defining what that actually means. However, instance after instance shows why we need a certain level of confidentially for our government. Then we have Anonymous who doesn't believe in privacy, but hides behind anonymity.

Re:

"The latest controversy just further demonstrates that some really shouldn't have access to information if they cannot use it responsibly."

Like the FBI agents who used record requests to get dirt on ex's? Or the police who did it. Or the IRS employees who did it. Or the hospital employees.

You do understand that Manning was covertly gathering the information after he saw more than enough hypocrisy in how our leaders spoke to the people and the backroom activities that they did.

He did not have this data for an extended period to go through and sift out only the "good juicy" things that would make the frontpage. Part of the reason to dump everything is to keep the context of what your seeing. 1 scandalous cable is just 1 cable, being able to show that there is a pattern of behavior is more damning.

Please show me where exactly Manning talks about how he disregarded the effect on others. Other than a bunch of politicians screaming he would have blood on his hands, how much factual backing to this is there? Other than a "former" hacker and his writing partner we have very few people who can shed any light on Mannings motives, and Lamo and whats his lying name covered up a bunch of the chat logs that showed they were lying about how they reported it. Frontline did a hatchet piece on Manning based on speculation and a distaste for Assange.

The failure at Wikileaks is "questionable" in nature, simply because of the current Wiki/Open Leaks pissing contest. Many of the people who left Wikileaks on bad terms, were people who had access enough to set this in motion. One of the "trusted" papers with access to the cable archive had the access to screw this up.

We are often denied the truth of things because we can't understand it in the right "context". I would rather have my Government stop lying to me, stop condemning dictators for taking the same actions my Government has taken on my behalf secretly.

Re: Independent minds needed

"TAC they seem to believe that if unauthorized access to a network has been done then there is no problem if it is done again. Even if it was the result of lax security, which is just wrong."

The difference is the leak of Sony, which I do not believe was initially an AnonOp - just blamed on them by Sony - , exposed the gaping hole that was Sony security.
Hacking bad grrr.
Handing out your customers credit card numbers and other information still isn't a crime. You get stuck with the bills and having to deal with reporting the crime, and trying to figure out where you went wrong. Sony poor Sony shouldn't have to pay for having a system that was pillaged several times before quietly.
The release of the data really was the only way to show people that Sony was actively screwing them.
It was the only way to embarrass the lawmakers to consider maybe holding a corporation to the rules.
Oh and the security rules were breaking the law. Sony's systems were not PCI compliant but somehow they can still take credit cards. The costs of them screwing up get passed on to all the other cardholders... not Sony.

The hacking that has been done by some under the banner of Anonymous has exposed corruption, the complete ineptness of the people advising the Government, the waste of money on pet projects, and raise serious questions about the access some companies have to government records. But hacking is worse than all of that.

Many under the banner of Anonymous go out and protest bad things. They don't hack or code, but they found a group of like minded people and want to take action.

You speak of Anonymous as this cohesive group, which means you do not understand.

Our society can not deal with government officials taking bribes, because they wrote the rules to make sure they get all of the benefits without breaking the laws they made. It takes a special sort of moron to get busted, like the Congressman with a minifridge packed with cash from bribes.

You assume all people who use the banner of Anonymous are guilty of these crimes, and I have to try and prove some of them might be innocent. So its only evil when other people do it but not yourself?

Anonymous does not believe in privacy... you REALLY have no idea what your speaking of here. They believe in privacy for the people, and they have done things to remind those that would try to remove others privacy that we are watching.

Yes the Government needs to keep some secrets, but you can not explain why hiding John McCain having a chat with Gaddafi is the right thing to do. That hiding the US Government pressuring other Governments to support the aging business model of the movie and music industry is for our own good. That our Government forcing a foriegn country to charge people with crimes, when there is no such law in that country. That sticking people on planes and sending them to places to be tortured is the right thing to do.

Transparency - its what we often get after a corporation screws up so badly that we have to sink the world economy to bail out what they did... and then we discover they broke the rules, and are still breaking the rules. Foreclosing on homes with fake documents, Foreclosing on homes they do not own, getting their wives 500 million loans from the Federal Reserve that do not have to be repaid.

The world is broken because of these secrets, so right not transparency is a move to try and unbreak the world. These secrets let our Government LIE TO US, this is unacceptable.

Re: Re:

"Like the FBI agents who used record requests to get dirt on ex's? Or the police who did it. Or the IRS employees who did it. Or the hospital employees."

These things should definitely be leaked. In fact, I believe they were 'leaked' by the GAO when abuses came to light. Not that the entire NSL thing isn't an entirely different cluster-fuck all together, but I digress.

"He did not have this data for an extended period to go through and sift out only the "good juicy" things that would make the frontpage."

He COULD have though. A little patience and he could have read through them himself and leaked the those details that truly shocked the conscience.

"Part of the reason to dump everything is to keep the context of what your seeing. 1 scandalous cable is just 1 cable, being able to show that there is a pattern of behavior is more damning."

If that was his goal, he could have leaked a series of cables to show a pattern too.

"Please show me where exactly Manning talks about how he disregarded the effect on others. "

He didn't talk about disregarding others lives. His actions spoke louder than his words. He either didn't consider carefully redacting his leaks or didn't care enough to try. Just as an example, how does a list of critical US assets like the location of mines that supply our economy with rare materials threaten the world, or anyone (other than those whom wish to spy on or harm our economy) for that matter?

A responsible person would assume that these things were being kept semi-secret for a reason and only leaked what was necessary. He didn't even try to read through most of what he put out there. That was an irresponsible and dangerous act and no amount of "but it feels like it should be okay" will change that.

Re: Independent minds needed

"Hacking is a federal crime, and has been a crime before Anonymous came to prominence."

The word "hacking" gets thrown around way to much these days. "Hacking" as it is commonly known encompasses so much that some of it clearly is a crime, some of it clearly is not, and some falls in a grey area. Be more specific or you look ignorant.

"The problem with Anonymous is that the belief that they are doing something for a cause it must be right. With the earlier comment by TAC they seem to believe that if unauthorized access to a network has been done then there is no problem if it is done again. Even if it was the result of lax security, which is just wrong."

Whether or not it illegal has little to do with legality. In the Sony case, nothing Anon did was new and any information published from Sony's servers was likely taken many time before by others. In context, anon did what they could to make the situation a little better in the long term by making it much worse in the short term. There is too much grey for me to call them right or wrong, but the situation was mostly of Sony's making.

I find the argument legal==moral to be extremely dangerous. We must all question authority or we will eventually have a dictator here too.

Re: Re: Independent minds needed

Re: Re: Re:

The problem is many things are covered up "for our own good".
It should not take the GAO to pry these things out.

He also could have tried to grow wings.
Your talking about a serious amount of data, in an odd format, and while he was on duty or on leave he was supposed to be able to parse the massive amount of data in the time allowed?
Given how our Government treats whistleblowers, he went to where he thought he could protect himself, then Lamo screwed him hard after the fact.

Several of the cables have been strung together, and no one seems to give a crap about what they show about the Government. All of the oxygen in the room has been sucked out with the whole WikiLeaks is trying to sell us out to terrorists! The questionable methods being used in holding Manning, and the Government pushing so very hard to find the thinnest thread to get Assange on something.

Question about the rare materials - they are rare... how hard could it have been for anyone to figure those out?

We are talking about a large amount of cables, and one might want to assume for 1 second that maybe Wikileaks promised their team would redact the information. He was not acting alone, he was acting with what he thought were professional leakers.

A responsible person seeing the video footage of a child being blown apart by a gun mounted on a helicopter, then run over by a vehicle, and then hearing the order to not give them aid might have been just a LITTLE pissed off. Someone reading cables telling them to lock the footage away and deny anything might have been a bit to far given everything else he saw inside this system.

Another point I think he was hoping to make was that so many things that are not earth shattering are being hidden as secret, because they can do it. Not that it protects anything but their own hides.

But then we requested people working in our name to get DNA for different world leaders quietly.

While in the end this was not handled well, most of that falls clearly on Wikileaks. Maybe Manning didn't meet your requirements as to what he had to do, but he thought he was dealing with professionals. Remember Wikileaks didn't look like a huge bunch of egomaniacs until after they had this.

I will give you he might have handled it differently, but I do not think he was disregarding peoples lives. He made efforts to try to make sure it would be controlled properly.

Re: Re: Independent minds needed

Anonymous still denies involvement in the Sony hack.
The "best" evidence to date is an alleged text file on a Sony server that did not quote the full motto.

There was an "attack" on the Sony network during the time of the breech. The attack was designed to shut the network down in response to the company suing 'Geohot' for daring to tinker with a machine he bought and thought he owned. Despite his personal ethos of not doing this to allow cracked games to be played, people claim that is what this was all about.

There are many different versions of what happened, and its possible we will never know the truth. But the idea that it was a failure of Sony to secure their systems will be a centerpiece.

While the release was damaging to many people all at once, it was less damaging that the slow bleed of people who could not find evidence of how their credit card, or life were misused by someone else. The big pile of data dumped gives you a wonderful thing to show the CC company... Look the number was published because Sony failed to secure their network me and several thousand other people all got screwed, shall we streamline the process for us reporting in and getting new cards now?

Given the miserable security at all levels of all governments...

...it's truly foolish to think that ANY of these documents (or the billions more just like them) are actually "secret", for any real meaning of "secret". Of course governments all over the planet have each others' documents: they've had them for years. But they all like to pretend that this isn't so, because it allows them to withhold them from their own citizens, many of whom are stupid and ignorant enough to believe the myth of "secrecy".

What governments have failed to learn -- because they too are heavily-populated with same ignorant and stupid people -- is that the best way to keep a secret is not to have it.

Re: Given the miserable security at all levels of all governments...

the first portion of your comment reminds me of a quote from someone talking about how the cables would "damage" our relations because they said mean things about some leaders and the response from others was thats nothing you should see what our cables say about you.

I think what damaged our relations was seeing the heavy hand taken behind closed doors to force people to bend to our will. To gather dirt on other diplomats and leaders, and what it might have been used to do.

As an employee of a very large and well respected Enterprise IT/IS Corporation, I am constantly reminded of the potential for network compromises. We have some rather large corporate names as our customers as well as many government departments. Our need for constant vigilance to remain in compliance with PCI and numerous other security standards is literally unending.
That having been said, I am also constantly reminded that our current government behemoth is slowly sucking out the life blood of this once great nation. If it takes the actions of groups like Anonymous and LulzSec and WikiLeaks to expose the two-faced, blatant coverups as well as the corporate purchasing of government action, the so be it. In conflict there are casualties. This is true in wars, revolutions, and government reform attempts. Taking the legal=moral ground is no excuse for sticking our heads in the sand. Legal!=moral.

Military IT guy: "Sir, we have millions of communication documents between the US branches worldwide and our land here."
Military high rank guy: "And what is the problem, soldier?"
IT guy: "They are available to any1 in our network without restrictions."
high rank guy: "Well, that's a problem. Compress and encrypt the database."
IT guy fires winzip: "What password should I set?"
high rank guy: "Well, it shouldn't be anything hard. Go for 123456."
IT guy: "Roger."
high rank guy: "And don't forget to make the password available for the network users."
IT guy: "Roger."